DD-WRT Forum :: View topic - Unbound DNS over TLS Adblock up-to-date root.hints

Unbound DNS over TLS Adblock up-to-date root.hints

DD-WRT Forum Forum Index -> Advanced Networking

Goto page Previous 1, 2, 3, 4, 5 Next

View previous topic :: View next topic

Author

Message

tinkeruntilitworks
Guest

Posted: Fri Apr 24, 2020 12:48 Post subject:
did you try creating the new unbound directory? that way the root.hints would be up-to-date. then add the directory and files to the unbound.conf chroot: "/jffs/unbound" directory: "/jffs/unbound" root-hints: "/jffs/unbound/root.hints" auto-trust-anchor-file: "/jffs/unbound/root.key" Last edited by tinkeruntilitworks on Tue Jun 23, 2020 16:29; edited 1 time in total

Sponsor

tatsuya46
DD-WRT Guru

Joined: 03 Jan 2010
Posts: 7410
Location: YWG, Canada

Posted: Fri Apr 24, 2020 13:23 Post subject:

tinkeruntilitworks wrote:

tatsuya46 wrote:

this is my current conf for reference.. recursion, no dnssec. still trying to understand some things like target-fetch-policy, auth zone, and why root hints cant be changed etc.

Code:

server:
verbosity: 1
interface: 0.0.0.0
outgoing-num-tcp: 15
incoming-num-tcp: 15
msg-buffer-size: 65552
outgoing-range: 4096
num-queries-per-thread: 2048
so-rcvbuf: 5m
so-sndbuf: 5m
key-cache-size: 8m
neg-cache-size: 2m
msg-cache-size: 128m
rrset-cache-size: 256m
rrset-roundrobin: yes
cache-min-ttl: 3600
infra-host-ttl: 259200
infra-cache-numhosts: 100000
serve-expired: yes
username: ""
pidfile: "/var/run/unbound.pid"
root-hints: "/etc/unbound/named.cache"
auto-trust-anchor-file: ""
prefetch: yes
prefetch-key: yes
target-fetch-policy: "-1 -1 -1 -1 -1"
harden-short-bufsize: no
harden-large-queries: no
minimal-responses: no
so-reuseport: yes
num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
port: 7053
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
access-control: 127.0.0.0/8 allow
access-control: 10.150.10.0/24 allow
access-control: 0.0.0.0/0 refuse
local-data: "localhost A 127.0.0.1"
auth-zone:
name: "."
master: 199.7.91.13 # d.root-servers.net
master: 192.203.230.10 # e.root-servers.net
master: 192.5.5.241 # f.root-servers.net
master: 192.58.128.30 # j.root-servers.net
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: root.zone
python:
remote-control:

running on a x86 with 4gb ram so adjust accordingly for a weak arm router etc..

did you try creating the new unbound directory?
that way the root.hints would be up-to-date.
then add the directory and files to the unbound.conf
chroot: "/jffs/unbound"
directory: "/jffs/unbound"
root-hints: "/jffs/unbound/root.hints"
auto-trust-anchor-file: "/jffs/unbound/root.key"

i dont understand chroot purpose, everytime i tried anything with it unbound always dont start. ill try it that way later.
_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:

we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

[x86_64] Haswell i3-4150/QCA9984/QCA9882 ------> r45460 std
[QUALCOMM] DIR-862L --------------------------------> r45460 std
[QUALCOMM] WNDR4300 v1 --------------------------> r45460 std
[QUALCOMM] DIR-862L --------------------------------> r45460 std
▲ ACTIVE / INACTIVE ▼
[BROADCOM] DIR-860L A1 ----------------------------> r44901 std

If you use DSLReports please enable hi-res bufferbloat.

Sigh.. why do i exist anyway..

tinkeruntilitworks
Guest

Posted: Fri Apr 24, 2020 13:38 Post subject:
i include the chroot setting because in the default settings it uses chroot to the temp directory where the default router conf is created maybe chroot: "" would be better?

tatsuya46
DD-WRT Guru

Joined: 03 Jan 2010
Posts: 7410
Location: YWG, Canada

Posted: Fri Apr 24, 2020 17:48 Post subject:

tinkeruntilitworks wrote:

i include the chroot setting because in the default settings it uses chroot to the temp directory where the default router conf is created

maybe
chroot: ""

would be better?

the first suggestion worked

chroot: "/jffs/etc"
directory: "/jffs/etc"
root-hints: "/jffs/etc/named.cache"
auto-trust-anchor-file: "/jffs/etc/root.key"

and it started.
_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:

we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

tinkeruntilitworks
Guest

Posted: Fri Apr 24, 2020 21:33 Post subject:
.. Last edited by tinkeruntilitworks on Tue Jun 23, 2020 16:32; edited 1 time in total

Redback813
DD-WRT Novice

Joined: 10 Nov 2015
Posts: 39

Posted: Sun Apr 26, 2020 7:55 Post subject:

Still can't get unbound to work with the custom setting, I'm running DD-WRT v3.0-r42954 std (04/20/20) I know for sure that samba has a serious issue of dropouts, so this would not surprise me if unbound is having issue also. Here is the setting, I'll be dammed if I can get this to work but the default setting is not a problem.

server:
verbosity: 1
interface: 0.0.0.0@7053
interface: ::0@7053
outgoing-num-tcp: 10
incoming-num-tcp: 10
msg-buffer-size: 8192
msg-cache-size: 50m
num-queries-per-thread: 30
rrset-cache-size: 100m
infra-cache-numhosts: 200
username: ""
pidfile: "/var/run/unbound.pid"
root-hints: "/jffs/unbound/named.cache"
chroot: "/jffs/unbound"
directory: "/jffs/unbound"
include: "/jffs/unbound/conf.d/*.conf"
target-fetch-policy: "2 1 0 0 0 0"
harden-short-bufsize: yes
harden-large-queries: yes
auto-trust-anchor-file: "/jffs/unbound/root.key"
key-cache-size: 100k
neg-cache-size: 10k
num-threads: 2
so-rcvbuf: 1m
so-sndbuf: 1m
so-reuseport: yes
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2
outgoing-range: 462
access-control: 127.0.0.0/8 allow
access-control: 10.10.10.0/24 allow
local-data: "localhost A 127.0.0.1"
python:
remote-control:
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 209.222.18.218@853#Privateinternetaccess-dns.com
forward-addr: 209.222.18.222@853#Privateinternetaccess-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-addr: 1.1.1.1@853#cloudflare-dns.com

tinkeruntilitworks
Guest

Posted: Sun Apr 26, 2020 11:44 Post subject:
unbound does dns over tls using tcp only. possibly the issue? i'm not familiar with the private internet access dns or your include conf hopefully someone that has mixed a vpn and unbound see this so they could help

Redback813
DD-WRT Novice

Joined: 10 Nov 2015
Posts: 39

Posted: Sun Apr 26, 2020 12:50 Post subject:

tinkeruntilitworks wrote:

unbound does dns over tls using tcp only. possibly the issue?

i'm not familiar with the private internet access dns or your include conf

hopefully someone that has mixed a vpn and unbound see this so they could help

Top question is incorrect since one can use UDP were as TCP will slow request down with regards to DNSSEC and as for PIA, this has no bearing when this is disable as there is no differences.

tinkeruntilitworks
Guest

Posted: Sun Apr 26, 2020 14:31 Post subject:
i stand by my comment of unbound doing dns over tls tcp only i've found dnssec is sped up if you enable ipv6 * just noticed you don't have the tls cert bundle setting in your unbound conf tls-cert-bundle: "/etc/ssl/ca-bundle.crt"

Redback813
DD-WRT Novice

Joined: 10 Nov 2015
Posts: 39

Posted: Mon Apr 27, 2020 0:42 Post subject:

tinkeruntilitworks wrote:

i stand by my comment of unbound doing dns over tls tcp only

i've found dnssec is sped up if you enable ipv6

*
just noticed you don't have the tls cert bundle setting in your unbound conf
tls-cert-bundle: "/etc/ssl/ca-bundle.crt"

When it comes to IPv6 and VPN services there is plenty of info with regards to this leaking protocol, still no go, did you disable the "Use DNSMasq for DNS"?

tinkeruntilitworks
Guest

Posted: Mon Apr 27, 2020 2:11 Post subject:

Redback813 wrote:

did you disable the "Use DNSMasq for DNS"?

no. i keep it enabled

Redback813
DD-WRT Novice

Joined: 10 Nov 2015
Posts: 39

Posted: Mon Apr 27, 2020 4:26 Post subject:

tinkeruntilitworks wrote:

Redback813 wrote:

did you disable the "Use DNSMasq for DNS"?

no. i keep it enabled

One question where did you put the finished unbound.conf file?

tinkeruntilitworks
Guest

Posted: Mon Apr 27, 2020 12:01 Post subject:
deleted incorrect info Last edited by tinkeruntilitworks on Mon Apr 27, 2020 17:56; edited 1 time in total

E900
DD-WRT Novice

Joined: 05 Mar 2018
Posts: 24
Location: In your Heart

Posted: Mon Apr 27, 2020 17:21 Post subject:
.. Last edited by E900 on Thu May 07, 2020 18:55; edited 5 times in total

tinkeruntilitworks
Guest

Posted: Mon Apr 27, 2020 17:39 Post subject:
much appreciated i'll make the adjustments

Goto page Previous 1, 2, 3, 4, 5 Next

Display posts from previous:

Page 3 of 5

DD-WRT Forum Forum Index -> Advanced Networking

All times are GMT

Navigation

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Log in

Unbound DNS over TLS Adblock up-to-date root.hints

Quick Links

Log in